Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
loligang.arm7

Overview

General Information

Sample Name:loligang.arm7
Analysis ID:651258
MD5:288e8dabaa23476987b7b953beb1e319
SHA1:ac59052889d6282c6c86abb9118aff243d0b4ed5
SHA256:a509e3b17d1efefa74540e9e27570cb98f42999881baca6cd4942c1c5ed4a8fe
Infos:

Detection

Mirai
Score:100
Range:0 - 100
Whitelisted:false

Signatures

Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Yara detected Mirai
Multi AV Scanner detection for submitted file
Contains symbols with names commonly found in malware
Yara signature match
Uses the "uname" system call to query kernel version information (possible evasion)
Enumerates processes within the "proc" file system
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Detected TCP or UDP traffic on non-standard ports
Sample and/or dropped files contains symbols with suspicious names
Sample listens on a socket
Sample tries to kill a process (SIGKILL)

Classification

Analysis Advice

Static ELF header machine description suggests that the sample might not execute correctly on this machine.
All HTTP servers contacted by the sample do not answer. The sample is likely an old dropper which does no longer work.
Static ELF header machine description suggests that the sample might only run correctly on MIPS or ARM architectures.
Joe Sandbox Version:35.0.0 Citrine
Analysis ID:651258
Start date and time: 23/06/202217:55:202022-06-23 17:55:20 +02:00
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 5m 15s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:loligang.arm7
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Detection:MAL
Classification:mal100.troj.linARM7@0/0@0/0
  • Report size exceeded maximum capacity and may have missing network information.
Command:/tmp/loligang.arm7
PID:6226
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
lzrd cock fest"/proc/"/exe
Standard Error:
  • system is lnxubuntu20
  • cleanup
SourceRuleDescriptionAuthorStrings
loligang.arm7SUSP_XORed_MozillaDetects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.Florian Roth
  • 0x1625c:$xo1: oMXKNNC\x0D\x17\x0C\x12
  • 0x162cc:$xo1: oMXKNNC\x0D\x17\x0C\x12
  • 0x1633c:$xo1: oMXKNNC\x0D\x17\x0C\x12
  • 0x163ac:$xo1: oMXKNNC\x0D\x17\x0C\x12
  • 0x1641c:$xo1: oMXKNNC\x0D\x17\x0C\x12
  • 0x1668c:$xo1: oMXKNNC\x0D\x17\x0C\x12
  • 0x166e0:$xo1: oMXKNNC\x0D\x17\x0C\x12
  • 0x16734:$xo1: oMXKNNC\x0D\x17\x0C\x12
  • 0x16788:$xo1: oMXKNNC\x0D\x17\x0C\x12
  • 0x167dc:$xo1: oMXKNNC\x0D\x17\x0C\x12
loligang.arm7Mirai_Botnet_MalwareDetects Mirai Botnet MalwareFlorian Roth
  • 0x15c38:$x1: POST /cdn-cgi/
  • 0x160dc:$s1: LCOGQGPTGP
loligang.arm7MAL_ELF_LNX_Mirai_Oct10_2Detects ELF malware Mirai relatedFlorian Roth
  • 0x15c38:$c01: 50 4F 53 54 20 2F 63 64 6E 2D 63 67 69 2F 00 00 20 48 54 54 50 2F 31 2E 31 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 00 0D 0A 48 6F 73 74 3A
loligang.arm7MAL_ARM_LNX_Mirai_Mar13_2022Detects new ARM Mirai variantMehmet Ali Kerimoglu a.k.a. CYB3RMX
  • 0x216a5:$attck1: attack.c
  • 0x216d9:$attck3: anti_gdb_entry
  • 0x216e8:$attck4: resolve_cnc_addr
  • 0x22289:$attck7: attack_get_opt_ip
loligang.arm7JoeSecurity_Mirai_5Yara detected MiraiJoe Security
    Click to see the 2 entries
    SourceRuleDescriptionAuthorStrings
    dump.pcapJoeSecurity_Mirai_12Yara detected MiraiJoe Security
      SourceRuleDescriptionAuthorStrings
      6235.1.00000000f2097c29.00000000b0e52cbf.rw-.sdmpSUSP_XORed_MozillaDetects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.Florian Roth
      • 0x3a48:$xo1: oMXKNNC\x0D\x17\x0C\x12
      • 0x3ac0:$xo1: oMXKNNC\x0D\x17\x0C\x12
      • 0x3b38:$xo1: oMXKNNC\x0D\x17\x0C\x12
      • 0x3bb0:$xo1: oMXKNNC\x0D\x17\x0C\x12
      • 0x3c28:$xo1: oMXKNNC\x0D\x17\x0C\x12
      • 0x3eb8:$xo1: oMXKNNC\x0D\x17\x0C\x12
      • 0x3f10:$xo1: oMXKNNC\x0D\x17\x0C\x12
      • 0x3f68:$xo1: oMXKNNC\x0D\x17\x0C\x12
      • 0x3fc0:$xo1: oMXKNNC\x0D\x17\x0C\x12
      • 0x4018:$xo1: oMXKNNC\x0D\x17\x0C\x12
      6229.1.00000000f2097c29.00000000b0e52cbf.rw-.sdmpSUSP_XORed_MozillaDetects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.Florian Roth
      • 0x3a48:$xo1: oMXKNNC\x0D\x17\x0C\x12
      • 0x3ac0:$xo1: oMXKNNC\x0D\x17\x0C\x12
      • 0x3b38:$xo1: oMXKNNC\x0D\x17\x0C\x12
      • 0x3bb0:$xo1: oMXKNNC\x0D\x17\x0C\x12
      • 0x3c28:$xo1: oMXKNNC\x0D\x17\x0C\x12
      • 0x3eb8:$xo1: oMXKNNC\x0D\x17\x0C\x12
      • 0x3f10:$xo1: oMXKNNC\x0D\x17\x0C\x12
      • 0x3f68:$xo1: oMXKNNC\x0D\x17\x0C\x12
      • 0x3fc0:$xo1: oMXKNNC\x0D\x17\x0C\x12
      • 0x4018:$xo1: oMXKNNC\x0D\x17\x0C\x12
      6226.1.00000000f2097c29.00000000b0e52cbf.rw-.sdmpSUSP_XORed_MozillaDetects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.Florian Roth
      • 0x3a48:$xo1: oMXKNNC\x0D\x17\x0C\x12
      • 0x3ac0:$xo1: oMXKNNC\x0D\x17\x0C\x12
      • 0x3b38:$xo1: oMXKNNC\x0D\x17\x0C\x12
      • 0x3bb0:$xo1: oMXKNNC\x0D\x17\x0C\x12
      • 0x3c28:$xo1: oMXKNNC\x0D\x17\x0C\x12
      • 0x3eb8:$xo1: oMXKNNC\x0D\x17\x0C\x12
      • 0x3f10:$xo1: oMXKNNC\x0D\x17\x0C\x12
      • 0x3f68:$xo1: oMXKNNC\x0D\x17\x0C\x12
      • 0x3fc0:$xo1: oMXKNNC\x0D\x17\x0C\x12
      • 0x4018:$xo1: oMXKNNC\x0D\x17\x0C\x12
      6229.1.0000000051d3e91b.00000000a87f4f70.r-x.sdmpSUSP_XORed_MozillaDetects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.Florian Roth
      • 0x1625c:$xo1: oMXKNNC\x0D\x17\x0C\x12
      • 0x162cc:$xo1: oMXKNNC\x0D\x17\x0C\x12
      • 0x1633c:$xo1: oMXKNNC\x0D\x17\x0C\x12
      • 0x163ac:$xo1: oMXKNNC\x0D\x17\x0C\x12
      • 0x1641c:$xo1: oMXKNNC\x0D\x17\x0C\x12
      • 0x1668c:$xo1: oMXKNNC\x0D\x17\x0C\x12
      • 0x166e0:$xo1: oMXKNNC\x0D\x17\x0C\x12
      • 0x16734:$xo1: oMXKNNC\x0D\x17\x0C\x12
      • 0x16788:$xo1: oMXKNNC\x0D\x17\x0C\x12
      • 0x167dc:$xo1: oMXKNNC\x0D\x17\x0C\x12
      6229.1.0000000051d3e91b.00000000a87f4f70.r-x.sdmpMirai_Botnet_MalwareDetects Mirai Botnet MalwareFlorian Roth
      • 0x15c38:$x1: POST /cdn-cgi/
      • 0x160dc:$s1: LCOGQGPTGP
      Click to see the 19 entries
      No Snort rule has matched

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Source: loligang.arm7Avira: detected
      Source: loligang.arm7Virustotal: Detection: 63%Perma Link
      Source: global trafficTCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
      Source: global trafficTCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
      Source: global trafficTCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
      Source: global trafficTCP traffic: 192.168.2.23:45602 -> 139.59.109.181:1791
      Source: /tmp/loligang.arm7 (PID: 6228)Socket: 0.0.0.0::23Jump to behavior
      Source: /tmp/loligang.arm7 (PID: 6228)Socket: 0.0.0.0::0Jump to behavior
      Source: /tmp/loligang.arm7 (PID: 6228)Socket: 0.0.0.0::80Jump to behavior
      Source: /tmp/loligang.arm7 (PID: 6228)Socket: 0.0.0.0::81Jump to behavior
      Source: /tmp/loligang.arm7 (PID: 6228)Socket: 0.0.0.0::8443Jump to behavior
      Source: /tmp/loligang.arm7 (PID: 6228)Socket: 0.0.0.0::9009Jump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)Socket: 0.0.0.0::0Jump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)Socket: 0.0.0.0::80Jump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)Socket: 0.0.0.0::81Jump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)Socket: 0.0.0.0::8443Jump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)Socket: 0.0.0.0::9009Jump to behavior
      Source: unknownNetwork traffic detected: HTTP traffic on port 43928 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 42836 -> 443
      Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
      Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
      Source: unknownTCP traffic detected without corresponding DNS query: 139.59.109.181
      Source: unknownTCP traffic detected without corresponding DNS query: 76.64.177.212
      Source: unknownTCP traffic detected without corresponding DNS query: 178.165.118.212
      Source: unknownTCP traffic detected without corresponding DNS query: 103.7.215.153
      Source: unknownTCP traffic detected without corresponding DNS query: 198.15.174.197
      Source: unknownTCP traffic detected without corresponding DNS query: 45.13.59.133
      Source: unknownTCP traffic detected without corresponding DNS query: 216.76.77.227
      Source: unknownTCP traffic detected without corresponding DNS query: 112.186.250.68
      Source: unknownTCP traffic detected without corresponding DNS query: 39.241.44.222
      Source: unknownTCP traffic detected without corresponding DNS query: 250.129.247.102
      Source: unknownTCP traffic detected without corresponding DNS query: 38.143.239.55
      Source: unknownTCP traffic detected without corresponding DNS query: 193.212.17.109
      Source: unknownTCP traffic detected without corresponding DNS query: 115.207.164.250
      Source: unknownTCP traffic detected without corresponding DNS query: 179.49.120.173
      Source: unknownTCP traffic detected without corresponding DNS query: 161.59.111.98
      Source: unknownTCP traffic detected without corresponding DNS query: 133.37.119.128
      Source: unknownTCP traffic detected without corresponding DNS query: 120.8.186.192
      Source: unknownTCP traffic detected without corresponding DNS query: 113.95.4.38
      Source: unknownTCP traffic detected without corresponding DNS query: 58.157.157.44
      Source: unknownTCP traffic detected without corresponding DNS query: 176.75.22.31
      Source: unknownTCP traffic detected without corresponding DNS query: 114.6.103.195
      Source: unknownTCP traffic detected without corresponding DNS query: 113.171.122.115
      Source: unknownTCP traffic detected without corresponding DNS query: 123.149.103.18
      Source: unknownTCP traffic detected without corresponding DNS query: 83.192.49.152
      Source: unknownTCP traffic detected without corresponding DNS query: 96.1.17.14
      Source: unknownTCP traffic detected without corresponding DNS query: 247.112.198.170
      Source: unknownTCP traffic detected without corresponding DNS query: 151.105.55.144
      Source: unknownTCP traffic detected without corresponding DNS query: 13.250.60.254
      Source: unknownTCP traffic detected without corresponding DNS query: 204.176.35.80
      Source: unknownTCP traffic detected without corresponding DNS query: 68.167.102.125
      Source: unknownTCP traffic detected without corresponding DNS query: 39.43.41.130
      Source: unknownTCP traffic detected without corresponding DNS query: 111.229.26.140
      Source: unknownTCP traffic detected without corresponding DNS query: 45.86.67.31
      Source: unknownTCP traffic detected without corresponding DNS query: 53.46.52.97
      Source: unknownTCP traffic detected without corresponding DNS query: 13.123.82.113
      Source: unknownTCP traffic detected without corresponding DNS query: 142.185.91.38
      Source: unknownTCP traffic detected without corresponding DNS query: 1.82.7.12
      Source: unknownTCP traffic detected without corresponding DNS query: 175.229.150.209
      Source: unknownTCP traffic detected without corresponding DNS query: 250.206.123.186
      Source: unknownTCP traffic detected without corresponding DNS query: 135.254.86.35
      Source: unknownTCP traffic detected without corresponding DNS query: 136.150.57.0
      Source: unknownTCP traffic detected without corresponding DNS query: 176.88.152.151
      Source: unknownTCP traffic detected without corresponding DNS query: 42.1.171.176
      Source: unknownTCP traffic detected without corresponding DNS query: 72.233.147.136
      Source: unknownTCP traffic detected without corresponding DNS query: 209.164.60.243
      Source: unknownTCP traffic detected without corresponding DNS query: 86.255.50.76
      Source: unknownTCP traffic detected without corresponding DNS query: 19.21.208.57
      Source: unknownTCP traffic detected without corresponding DNS query: 62.50.255.23

      System Summary

      barindex
      Source: loligang.arm7, type: SAMPLEMatched rule: Detects Mirai Botnet Malware Author: Florian Roth
      Source: loligang.arm7, type: SAMPLEMatched rule: Detects ELF malware Mirai related Author: Florian Roth
      Source: 6229.1.0000000051d3e91b.00000000a87f4f70.r-x.sdmp, type: MEMORYMatched rule: Detects Mirai Botnet Malware Author: Florian Roth
      Source: 6229.1.0000000051d3e91b.00000000a87f4f70.r-x.sdmp, type: MEMORYMatched rule: Detects ELF malware Mirai related Author: Florian Roth
      Source: 6235.1.0000000051d3e91b.00000000a87f4f70.r-x.sdmp, type: MEMORYMatched rule: Detects Mirai Botnet Malware Author: Florian Roth
      Source: 6235.1.0000000051d3e91b.00000000a87f4f70.r-x.sdmp, type: MEMORYMatched rule: Detects ELF malware Mirai related Author: Florian Roth
      Source: 6228.1.0000000051d3e91b.00000000a87f4f70.r-x.sdmp, type: MEMORYMatched rule: Detects Mirai Botnet Malware Author: Florian Roth
      Source: 6228.1.0000000051d3e91b.00000000a87f4f70.r-x.sdmp, type: MEMORYMatched rule: Detects ELF malware Mirai related Author: Florian Roth
      Source: 6226.1.0000000051d3e91b.00000000a87f4f70.r-x.sdmp, type: MEMORYMatched rule: Detects Mirai Botnet Malware Author: Florian Roth
      Source: 6226.1.0000000051d3e91b.00000000a87f4f70.r-x.sdmp, type: MEMORYMatched rule: Detects ELF malware Mirai related Author: Florian Roth
      Source: ELF static info symbol of initial sampleName: attack.c
      Source: ELF static info symbol of initial sampleName: attack_app.c
      Source: ELF static info symbol of initial sampleName: attack_app_http
      Source: ELF static info symbol of initial sampleName: attack_get_opt_int
      Source: ELF static info symbol of initial sampleName: attack_get_opt_ip
      Source: ELF static info symbol of initial sampleName: attack_get_opt_str
      Source: ELF static info symbol of initial sampleName: attack_init
      Source: ELF static info symbol of initial sampleName: attack_method.c
      Source: ELF static info symbol of initial sampleName: attack_method_asyn
      Source: ELF static info symbol of initial sampleName: attack_method_greip
      Source: loligang.arm7, type: SAMPLEMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
      Source: loligang.arm7, type: SAMPLEMatched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
      Source: loligang.arm7, type: SAMPLEMatched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
      Source: loligang.arm7, type: SAMPLEMatched rule: MAL_ARM_LNX_Mirai_Mar13_2022 date = 2022-03-16, hash1 = 0283b72913b8a78b2a594b2d40ebc3c873e4823299833a1ff6854421378f5a68, author = Mehmet Ali Kerimoglu a.k.a. CYB3RMX, description = Detects new ARM Mirai variant
      Source: 6235.1.00000000f2097c29.00000000b0e52cbf.rw-.sdmp, type: MEMORYMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
      Source: 6229.1.00000000f2097c29.00000000b0e52cbf.rw-.sdmp, type: MEMORYMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
      Source: 6226.1.00000000f2097c29.00000000b0e52cbf.rw-.sdmp, type: MEMORYMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
      Source: 6229.1.0000000051d3e91b.00000000a87f4f70.r-x.sdmp, type: MEMORYMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
      Source: 6229.1.0000000051d3e91b.00000000a87f4f70.r-x.sdmp, type: MEMORYMatched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
      Source: 6229.1.0000000051d3e91b.00000000a87f4f70.r-x.sdmp, type: MEMORYMatched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
      Source: 6235.1.0000000051d3e91b.00000000a87f4f70.r-x.sdmp, type: MEMORYMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
      Source: 6235.1.0000000051d3e91b.00000000a87f4f70.r-x.sdmp, type: MEMORYMatched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
      Source: 6235.1.0000000051d3e91b.00000000a87f4f70.r-x.sdmp, type: MEMORYMatched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
      Source: 6228.1.0000000051d3e91b.00000000a87f4f70.r-x.sdmp, type: MEMORYMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
      Source: 6228.1.0000000051d3e91b.00000000a87f4f70.r-x.sdmp, type: MEMORYMatched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
      Source: 6228.1.0000000051d3e91b.00000000a87f4f70.r-x.sdmp, type: MEMORYMatched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
      Source: 6228.1.00000000f2097c29.00000000b0e52cbf.rw-.sdmp, type: MEMORYMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
      Source: 6226.1.0000000051d3e91b.00000000a87f4f70.r-x.sdmp, type: MEMORYMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
      Source: 6226.1.0000000051d3e91b.00000000a87f4f70.r-x.sdmp, type: MEMORYMatched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
      Source: 6226.1.0000000051d3e91b.00000000a87f4f70.r-x.sdmp, type: MEMORYMatched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
      Source: loligang.arm7ELF static info symbol of initial sample: __gnu_unwind_execute
      Source: loligang.arm7ELF static info symbol of initial sample: scanner.c
      Source: loligang.arm7ELF static info symbol of initial sample: scanner_init
      Source: loligang.arm7ELF static info symbol of initial sample: scanner_pid
      Source: loligang.arm7ELF static info symbol of initial sample: scanner_rawpkt
      Source: /tmp/loligang.arm7 (PID: 6228)SIGKILL sent: pid: 936, result: successfulJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)SIGKILL sent: pid: 936, result: successfulJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)SIGKILL sent: pid: 6228, result: successfulJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)SIGKILL sent: pid: 759, result: successfulJump to behavior
      Source: classification engineClassification label: mal100.troj.linARM7@0/0@0/0
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/2033/fdJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/2033/exeJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/1582/fdJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/1582/exeJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/2275/fdJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/6193/fdJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/1612/fdJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/1612/exeJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/1579/fdJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/1579/exeJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/1699/fdJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/1699/exeJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/1335/fdJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/1335/exeJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/1698/fdJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/1698/exeJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/2028/fdJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/2028/exeJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/1334/fdJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/1334/exeJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/1576/fdJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/1576/exeJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/2302/fdJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/3236/fdJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/2025/fdJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/2025/exeJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/2146/fdJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/910/exeJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/912/fdJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/912/fdJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/912/exeJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/759/fdJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/759/fdJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/759/exeJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/6228/fdJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/517/exeJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/2307/fdJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/918/fdJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/918/fdJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/918/exeJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/1594/fdJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/1594/exeJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/2285/fdJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/2281/fdJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/1349/fdJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/1349/exeJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/1/fdJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/1/fdJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/1623/fdJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/1623/exeJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/761/fdJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/761/fdJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/761/exeJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/1622/fdJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/1622/exeJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/884/fdJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/884/fdJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/884/exeJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/1983/fdJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/1983/exeJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/2038/fdJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/2038/exeJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/1586/fdJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/1586/exeJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/1465/fdJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/1465/exeJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/1344/fdJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/1344/exeJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/1860/fdJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/1860/exeJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/1463/fdJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/1463/exeJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/2156/fdJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/800/fdJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/800/fdJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/800/exeJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/801/fdJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/801/fdJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/801/exeJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/1629/fdJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/1629/exeJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/1627/fdJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/1627/exeJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/1900/fdJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/1900/exeJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/491/fdJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/491/fdJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/491/exeJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/2294/fdJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/2050/fdJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/2050/exeJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/1877/fdJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/1877/exeJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/772/fdJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/772/fdJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/772/exeJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/1633/fdJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/1633/exeJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/1599/fdJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/1599/exeJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/1632/fdJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/1632/exeJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/1477/fdJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/1477/exeJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/774/fdJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/774/fdJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6234)File opened: /proc/774/exeJump to behavior
      Source: /tmp/loligang.arm7 (PID: 6226)Queries kernel information via 'uname': Jump to behavior
      Source: loligang.arm7, 6226.1.000000007380f233.000000001ab6ca97.rw-.sdmp, loligang.arm7, 6228.1.000000007380f233.0000000050387bb9.rw-.sdmp, loligang.arm7, 6229.1.000000007380f233.0000000050387bb9.rw-.sdmp, loligang.arm7, 6235.1.000000007380f233.0000000050387bb9.rw-.sdmpBinary or memory string: U!/etc/qemu-binfmt/arm
      Source: loligang.arm7, 6226.1.0000000078068229.0000000079bc9c10.rw-.sdmp, loligang.arm7, 6228.1.0000000078068229.0000000079bc9c10.rw-.sdmp, loligang.arm7, 6229.1.0000000078068229.0000000079bc9c10.rw-.sdmp, loligang.arm7, 6235.1.0000000078068229.0000000079bc9c10.rw-.sdmpBinary or memory string: Wx86_64/usr/bin/qemu-arm/tmp/loligang.arm7SUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/loligang.arm7
      Source: loligang.arm7, 6226.1.000000007380f233.000000001ab6ca97.rw-.sdmp, loligang.arm7, 6228.1.000000007380f233.0000000050387bb9.rw-.sdmp, loligang.arm7, 6229.1.000000007380f233.0000000050387bb9.rw-.sdmp, loligang.arm7, 6235.1.000000007380f233.0000000050387bb9.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/arm
      Source: loligang.arm7, 6226.1.0000000078068229.0000000079bc9c10.rw-.sdmp, loligang.arm7, 6228.1.0000000078068229.0000000079bc9c10.rw-.sdmp, loligang.arm7, 6229.1.0000000078068229.0000000079bc9c10.rw-.sdmp, loligang.arm7, 6235.1.0000000078068229.0000000079bc9c10.rw-.sdmpBinary or memory string: /usr/bin/qemu-arm

      Stealing of Sensitive Information

      barindex
      Source: Yara matchFile source: dump.pcap, type: PCAP
      Source: Yara matchFile source: loligang.arm7, type: SAMPLE
      Source: Yara matchFile source: 6229.1.0000000051d3e91b.00000000a87f4f70.r-x.sdmp, type: MEMORY
      Source: Yara matchFile source: 6235.1.0000000051d3e91b.00000000a87f4f70.r-x.sdmp, type: MEMORY
      Source: Yara matchFile source: 6228.1.0000000051d3e91b.00000000a87f4f70.r-x.sdmp, type: MEMORY
      Source: Yara matchFile source: 6226.1.0000000051d3e91b.00000000a87f4f70.r-x.sdmp, type: MEMORY

      Remote Access Functionality

      barindex
      Source: Yara matchFile source: dump.pcap, type: PCAP
      Source: Yara matchFile source: loligang.arm7, type: SAMPLE
      Source: Yara matchFile source: 6229.1.0000000051d3e91b.00000000a87f4f70.r-x.sdmp, type: MEMORY
      Source: Yara matchFile source: 6235.1.0000000051d3e91b.00000000a87f4f70.r-x.sdmp, type: MEMORY
      Source: Yara matchFile source: 6228.1.0000000051d3e91b.00000000a87f4f70.r-x.sdmp, type: MEMORY
      Source: Yara matchFile source: 6226.1.0000000051d3e91b.00000000a87f4f70.r-x.sdmp, type: MEMORY
      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsWindows Management InstrumentationPath InterceptionPath Interception1
      Masquerading
      1
      OS Credential Dumping
      11
      Security Software Discovery
      Remote ServicesData from Local SystemExfiltration Over Other Network Medium1
      Encrypted Channel
      Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
      Non-Standard Port
      Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
      Application Layer Protocol
      Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      No configs have been found